fix(deps): update dependency next to v16.1.5 [security]#1164
Merged
Conversation
Contributor
|
@launchdarkly/js-sdk-common size report |
Contributor
|
@launchdarkly/browser size report |
Contributor
|
@launchdarkly/js-client-sdk size report |
Contributor
|
@launchdarkly/js-client-sdk-common size report |
joker23
approved these changes
Mar 9, 2026
Merged
joker23
pushed a commit
that referenced
this pull request
Mar 23, 2026
🤖 I have created a release *beep* *boop* --- <details><summary>akamai-edgeworker-sdk-common: 2.0.17</summary> ## [2.0.17](akamai-edgeworker-sdk-common-v2.0.16...akamai-edgeworker-sdk-common-v2.0.17) (2026-03-23) ### Dependencies * The following workspace dependencies were updated * dependencies * @launchdarkly/js-server-sdk-common bumped from ^2.18.2 to ^2.18.3 </details> <details><summary>akamai-server-base-sdk: 3.0.18</summary> ## [3.0.18](akamai-server-base-sdk-v3.0.17...akamai-server-base-sdk-v3.0.18) (2026-03-23) ### Dependencies * The following workspace dependencies were updated * dependencies * @launchdarkly/akamai-edgeworker-sdk-common bumped from ^2.0.16 to ^2.0.17 * @launchdarkly/js-server-sdk-common bumped from ^2.18.2 to ^2.18.3 </details> <details><summary>akamai-server-edgekv-sdk: 1.4.20</summary> ## [1.4.20](akamai-server-edgekv-sdk-v1.4.19...akamai-server-edgekv-sdk-v1.4.20) (2026-03-23) ### Dependencies * The following workspace dependencies were updated * dependencies * @launchdarkly/akamai-edgeworker-sdk-common bumped from ^2.0.16 to ^2.0.17 * @launchdarkly/js-server-sdk-common bumped from ^2.18.2 to ^2.18.3 </details> <details><summary>browser: 0.1.13</summary> ## [0.1.13](browser-v0.1.12...browser-v0.1.13) (2026-03-23) ### Dependencies * The following workspace dependencies were updated * dependencies * @launchdarkly/js-client-sdk bumped from 4.4.0 to 4.4.1 </details> <details><summary>browser-telemetry: 1.0.29</summary> ## [1.0.29](browser-telemetry-v1.0.28...browser-telemetry-v1.0.29) (2026-03-23) ### Dependencies * The following workspace dependencies were updated * devDependencies * @launchdarkly/js-client-sdk bumped from 4.4.0 to 4.4.1 </details> <details><summary>cloudflare-server-sdk: 2.7.17</summary> ## [2.7.17](cloudflare-server-sdk-v2.7.16...cloudflare-server-sdk-v2.7.17) (2026-03-23) ### Dependencies * The following workspace dependencies were updated * dependencies * @launchdarkly/js-server-sdk-common-edge bumped from 2.6.15 to 2.6.16 </details> <details><summary>fastly-server-sdk: 0.2.9</summary> ## [0.2.9](fastly-server-sdk-v0.2.8...fastly-server-sdk-v0.2.9) (2026-03-23) ### Dependencies * The following workspace dependencies were updated * dependencies * @launchdarkly/js-server-sdk-common bumped from 2.18.2 to 2.18.3 </details> <details><summary>jest: 1.0.8</summary> ## [1.0.8](jest-v1.0.7...jest-v1.0.8) (2026-03-23) ### Dependencies * The following workspace dependencies were updated * dependencies * @launchdarkly/react-native-client-sdk bumped from ~10.15.0 to ~10.15.1 </details> <details><summary>js-client-sdk: 4.4.1</summary> ## [4.4.1](js-client-sdk-v4.4.0...js-client-sdk-v4.4.1) (2026-03-23) ### Bug Fixes * Report data source state as valid after bootstrap ([#1203](#1203)) ([b00889f](b00889f)) ### Dependencies * The following workspace dependencies were updated * dependencies * @launchdarkly/js-client-sdk-common bumped from 1.22.0 to 1.23.0 </details> <details><summary>js-client-sdk-common: 1.23.0</summary> ## [1.23.0](js-client-sdk-common-v1.22.0...js-client-sdk-common-v1.23.0) (2026-03-23) ### Features * FDv2 types, refined validators, and DataManager interface ([#1207](#1207)) ([d7ccfc1](d7ccfc1)) * FlagManager.applyChanges for FDv2 full/partial/none semantics ([#1208](#1208)) ([d9a1bd7](d9a1bd7)) * SourceFactoryProvider for declarative data source creation ([#1209](#1209)) ([e254f77](e254f77)) ### Dependencies * The following workspace dependencies were updated * dependencies * @launchdarkly/js-sdk-common bumped from 2.23.0 to 2.24.0 </details> <details><summary>js-sdk-common: 2.24.0</summary> ## [2.24.0](js-sdk-common-v2.23.0...js-sdk-common-v2.24.0) (2026-03-23) ### Features * FDv2 types, refined validators, and DataManager interface ([#1207](#1207)) ([d7ccfc1](d7ccfc1)) </details> <details><summary>js-server-sdk-common: 2.18.3</summary> ## [2.18.3](js-server-sdk-common-v2.18.2...js-server-sdk-common-v2.18.3) (2026-03-23) ### Dependencies * The following workspace dependencies were updated * dependencies * @launchdarkly/js-sdk-common bumped from 2.23.0 to 2.24.0 </details> <details><summary>js-server-sdk-common-edge: 2.6.16</summary> ## [2.6.16](js-server-sdk-common-edge-v2.6.15...js-server-sdk-common-edge-v2.6.16) (2026-03-23) ### Dependencies * The following workspace dependencies were updated * dependencies * @launchdarkly/js-server-sdk-common bumped from 2.18.2 to 2.18.3 </details> <details><summary>node-server-sdk: 9.10.10</summary> ## [9.10.10](node-server-sdk-v9.10.9...node-server-sdk-v9.10.10) (2026-03-23) ### Dependencies * The following workspace dependencies were updated * dependencies * @launchdarkly/js-server-sdk-common bumped from 2.18.2 to 2.18.3 </details> <details><summary>node-server-sdk-dynamodb: 6.2.22</summary> ## [6.2.22](node-server-sdk-dynamodb-v6.2.21...node-server-sdk-dynamodb-v6.2.22) (2026-03-23) ### Dependencies * The following workspace dependencies were updated * devDependencies * @launchdarkly/node-server-sdk bumped from 9.10.9 to 9.10.10 * peerDependencies * @launchdarkly/node-server-sdk bumped from >=9.4.3 to >=9.10.10 </details> <details><summary>node-server-sdk-otel: 1.3.10</summary> ## [1.3.10](node-server-sdk-otel-v1.3.9...node-server-sdk-otel-v1.3.10) (2026-03-23) ### Dependencies * The following workspace dependencies were updated * devDependencies * @launchdarkly/node-server-sdk bumped from 9.10.9 to 9.10.10 * peerDependencies * @launchdarkly/node-server-sdk bumped from >=9.4.3 to >=9.10.10 </details> <details><summary>node-server-sdk-redis: 4.2.22</summary> ## [4.2.22](node-server-sdk-redis-v4.2.21...node-server-sdk-redis-v4.2.22) (2026-03-23) ### Dependencies * The following workspace dependencies were updated * devDependencies * @launchdarkly/node-server-sdk bumped from 9.10.9 to 9.10.10 * peerDependencies * @launchdarkly/node-server-sdk bumped from >=9.4.3 to >=9.10.10 </details> <details><summary>react-native-client-sdk: 10.15.1</summary> ## [10.15.1](react-native-client-sdk-v10.15.0...react-native-client-sdk-v10.15.1) (2026-03-23) ### Dependencies * The following workspace dependencies were updated * dependencies * @launchdarkly/js-client-sdk-common bumped from 1.22.0 to 1.23.0 </details> <details><summary>react-sdk: 0.1.0</summary> ## [0.1.0](react-sdk-v0.0.1...react-sdk-v0.1.0) (2026-03-23) ### Features * pre-release of `@launchdarkly/react-sdk` ([#1201](#1201)) ([69f4790](69f4790)) ### Bug Fixes * **deps:** update dependency next to v16.1.5 [security] ([#1164](#1164)) ([929a385](929a385)) * **deps:** update dependency next to v16.1.7 [security] ([#1196](#1196)) ([1572be1](1572be1)) ### Dependencies * The following workspace dependencies were updated * dependencies * @launchdarkly/js-client-sdk bumped from ^4.4.0 to ^4.4.1 * @launchdarkly/js-server-sdk-common bumped from ^2.18.2 to ^2.18.3 </details> <details><summary>server-sdk-ai: 0.16.7</summary> ## [0.16.7](server-sdk-ai-v0.16.6...server-sdk-ai-v0.16.7) (2026-03-23) ### Dependencies * The following workspace dependencies were updated * devDependencies * @launchdarkly/js-server-sdk-common bumped from 2.18.2 to 2.18.3 * peerDependencies * @launchdarkly/js-server-sdk-common bumped from 2.x to 2.18.3 </details> <details><summary>server-sdk-ai-langchain: 0.5.3</summary> ## [0.5.3](server-sdk-ai-langchain-v0.5.2...server-sdk-ai-langchain-v0.5.3) (2026-03-23) ### Dependencies * The following workspace dependencies were updated * devDependencies * @launchdarkly/server-sdk-ai bumped from ^0.16.6 to ^0.16.7 * peerDependencies * @launchdarkly/server-sdk-ai bumped from ^0.15.0 || ^0.16.0 to ^0.16.7 </details> <details><summary>server-sdk-ai-openai: 0.5.3</summary> ## [0.5.3](server-sdk-ai-openai-v0.5.2...server-sdk-ai-openai-v0.5.3) (2026-03-23) ### Dependencies * The following workspace dependencies were updated * devDependencies * @launchdarkly/js-server-sdk-common bumped from 2.18.2 to 2.18.3 * @launchdarkly/server-sdk-ai bumped from ^0.16.6 to ^0.16.7 * peerDependencies * @launchdarkly/server-sdk-ai bumped from ^0.15.0 || ^0.16.0 to ^0.16.7 </details> <details><summary>server-sdk-ai-vercel: 0.5.3</summary> ## [0.5.3](server-sdk-ai-vercel-v0.5.2...server-sdk-ai-vercel-v0.5.3) (2026-03-23) ### Dependencies * The following workspace dependencies were updated * devDependencies * @launchdarkly/server-sdk-ai bumped from ^0.16.6 to ^0.16.7 * peerDependencies * @launchdarkly/server-sdk-ai bumped from ^0.15.0 || ^0.16.0 to ^0.16.7 </details> <details><summary>shopify-oxygen-sdk: 0.1.7</summary> ## [0.1.7](shopify-oxygen-sdk-v0.1.6...shopify-oxygen-sdk-v0.1.7) (2026-03-23) ### Dependencies * The following workspace dependencies were updated * dependencies * @launchdarkly/js-server-sdk-common bumped from 2.18.2 to 2.18.3 </details> <details><summary>vercel-server-sdk: 1.3.42</summary> ## [1.3.42](vercel-server-sdk-v1.3.41...vercel-server-sdk-v1.3.42) (2026-03-23) ### Dependencies * The following workspace dependencies were updated * dependencies * @launchdarkly/js-server-sdk-common-edge bumped from 2.6.15 to 2.6.16 </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Primarily metadata-only release changes (version constants, `package.json` deps, and `CHANGELOG.md` updates) with minimal functional code impact. Risk is limited to ensuring version strings and dependency bumps are consistent across packages. > > **Overview** > **Automated release PR** that bumps versions across many packages via release-please and updates `.release-please-manifest.json` accordingly. > > Updates each package’s `package.json` (and a few embedded `sdkVersion`/`version` constants used for user-agent/platform info) plus `CHANGELOG.md` entries, and rolls forward internal dependency pins (notably `@launchdarkly/js-sdk-common` → `2.24.0`, `@launchdarkly/js-client-sdk-common` → `1.23.0`, `@launchdarkly/js-server-sdk-common` → `2.18.3`, and the leaf SDKs that depend on them). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 46e1356. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
16.1.4→16.1.5GitHub Vulnerability Alerts
CVE-2025-59471
A DoS vulnerability exists in self-hosted Next.js applications that have
remotePatternsconfigured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires thatremotePatternsis configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.
CVE-2025-59472
A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the
Next-Resume: 1header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:Unbounded request body buffering: The server buffers the entire POST request body into memory using
Buffer.concat()without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.Unbounded decompression (zipbomb): The resume data cache is decompressed using
inflateSync()without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.Both attack vectors result in a fatal V8 out-of-memory error (
FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.To be affected, an application must run with
experimental.ppr: trueorcacheComponents: trueconfigured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
GHSA-h25m-26qc-wcjf
A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.
A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.
Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration
CVE-2025-59471 / GHSA-9g9p-9gw9-jx7f
More information
Details
A DoS vulnerability exists in self-hosted Next.js applications that have
remotePatternsconfigured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires thatremotePatternsis configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next.js has Unbounded Memory Consumption via PPR Resume Endpoint
CVE-2025-59472 / GHSA-5f7q-jpqc-wp7h
More information
Details
A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the
Next-Resume: 1header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:Unbounded request body buffering: The server buffers the entire POST request body into memory using
Buffer.concat()without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.Unbounded decompression (zipbomb): The resume data cache is decompressed using
inflateSync()without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.Both attack vectors result in a fatal V8 out-of-memory error (
FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.To be affected, an application must run with
experimental.ppr: trueorcacheComponents: trueconfigured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components
GHSA-h25m-26qc-wcjf
More information
Details
A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.
A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
vercel/next.js (next)
v16.1.5Compare Source
Please refer the following changelogs for more information about this security release:
https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472
https://vercel.com/changelog/summary-of-cve-2026-23864
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.